I recently encountered a challenging situation where a user lost their phone, and unfortunately, they didn't save any backup codes. The authenticator app is gone, and IT doesn't have a recovery option set up because they believe 'MFA is security; you can't just bypass it.' After three hours of trying, we realized that we would have to escalate to a vendor support ticket, which could take 48 hours. I'm curious how others manage account recovery for TOTP (Time-based One-Time Password) systems at scale. It seems like any solution might either create security issues or lead to a support nightmare.
4 Answers
What do you mean by saying 'IT has no recovery path configured'? If a user gets a new phone, they can generally reinstall the authenticator app without involving the vendor, especially if you’re using a single sign-on system. It sounds like there are some misunderstandings here.
In cases like this, the common approach is to reset the MFA and let the user enroll a new device. If they don't have a backup device, sometimes providing a temporary hardware token can help. I'm a bit confused as to why this is such a big issue—the steps seem straightforward!
Exactly! It's crucial to see the security holes in just restoring tokens without identity verification. Vendor procedures can be a hassle, but it’s essential for security.
Honestly, a well-designed MFA system allows an admin to reset a user's settings regardless of the situation. If your current system isn’t delivering that, maybe it’s time to look elsewhere for a solution.
Definitely! There should always be a way to manage user access without being completely locked out due to a lost device.
From what you've described, it seems you should be able to reset the MFA after verifying the user’s identity. That’s standard practice, so I'd question the setup if this isn't possible.
If they truly can’t reset MFA, then something's wrong with your admin capabilities. You should be able to add new auth methods easily.
It’s all about verifying the user's identity first. You wouldn’t want to just reset it without confirming it's really them.